Podcast: Essential Best Practices for Data Warehouse Protection and Compliance
In this podcast, Jeff Devlin, a data audit, protection and compliance expert, discusses the special challenges of protecting sensitive data in data warehouses and analytical applications from hacking, breaches and misuse.
“You don’t want a business person, an auditor, or worst case, a breach to tell you, you have a data protection or compliance issue.”
Podcast Summary: Data warehouses increasingly contain more and more sensitive data, including personal identifiable information (PII) and proprietary company information. In this episode, Jeff Devlin, a data audit, protection and compliance expert, will be discussing the special challenges of protecting sensitive data in data warehouses and analytical applications from hacking, breaches and misuse. In these environments, powerful data visualization and analytical tools allow users to circumvent common data audit and protection controls. With data breaches on the rise, and the huge amount of data now accessible in organizations today, this is a critical topic to ensure organizations protect their sensitive data and meet data privacy regulations such as PCI, HIPAA, GDPR and the California Consumer Privacy Act (CCPA).
Podcast Show Notes
Chris Doolittle: Welcome to the second of two podcasts on critical success factors for ensuring and protecting the business value of analytics and data warehousing.
In this podcast, we will be discussing the challenges and essential best practices for data warehouse protection and regulatory compliance.
Data warehouses increasingly contain more and more sensitive data, including customer data, and proprietary company information essential to the running of the business. In this episode, you will learn from an expert with over 30 years’ experience in analytics, data warehousing, audit, and compliance. He will be discussing the unique challenges of protecting sensitive data from hacking, breaches, and misuse, in the highly dynamic environments of data warehouses, and analytic applications. With data breaches on the rise, and the huge amount of data that is now accessible in organizations today, this is a critical topic.
I’m Chris Doolittle, vice president of marketing, and a co-founder at Teleran, a data visibility and protection software company. Today, I’m here again with Jeff Devlin. Jeff is an IT executive, with over 30 years’ experience developing and managing a wide range of enterprise applications and data architectures, and infrastructures in management roles at companies like Wells Fargo, TIAA, Bank of America, Lowe’s, and others.
In our first podcast with Jeff, we discussed critical success factors to ensure data warehouse and analytical applications meet the needs of business. This means understanding the data in the data warehouse. What is its real value to the business? How do business users leverage it to generate more value for the business? And what are the tools data warehouse and data analytics managers use to achieve those objectives?
Now we’re tackling the challenges of data protection and compliance. Jeff, welcome to our second podcast.
Jeff Devlin: Thanks, Chris. Happy to be here.
Challenges Addressing Growing Regulatory Compliance Demands
Chris Doolittle: Terrific. Jeff, you’ve had a lot of experience in large financial services organizations developing and managing data warehouses, CRM systems, as well as implementing data governance, security and compliance across these companies. So, tell us a little bit about the real challenges in addressing growing regulatory compliance demands along with increasing data privacy threats in these large, data intensive and dynamic environments.
Jeff Devlin: Given the explosion of data that’s stored by companies in all industries, there is a need to protect that data, to monitor that data, to audit that data. We work closely with our business partners, and auditors, both internal and external, to match up our regulatory efforts. And, also to protect the reputation of our companies. Recently it has become a very big challenge. Even now, just talking about it, I’m breaking out into a sweat, because that’s how intense it can be. And certainly that’s how important that effort is.
Establishing a Business Context is Critical to Effective Data Protection and Compliance
Chris Doolittle: In our first podcast, you talked about how critical it is to really understand how the business uses and values the data to ensure that the data warehouse support team can support the business objectives. Is this business context equally important to data protection and regulatory compliance as well?
Jeff Devlin: Yes. Once you start a project, where you’ve identified a business need. You work very closely with your business partners to identify the data that’s needed so you can deploy a data-mart, a data warehouse, or any type of data store such as a data lake. One of the important aspects of rolling out that application is to consider how you’re going to protect that data, how are you going to match up controls for that data, how are you going to understand who is accessing it, and the importance of knowing everything you can in conjunction with the business use of the data. That is hugely important to the success of protecting and governing the applications and data.
Chris Doolittle: So, you develop a business context for the use of the data and then you translate that into how to protect that data. Is that right?
Jeff Devlin: That’s one of the key processes that needs to occur as you’re going down that journey with the application. As you’re going through the data warehouse needs analysis and development process, you’re attempting to make sure that, not only do you return the information to the end user in a timely fashion, and with integrity, but you also have developed very good controls around data security and data governance – what you need to ensure that you have a protected environment.
Chris Doolittle: It sounds like a very comprehensive approach.
Jeff Devlin: Yep. It sure is. It leads to success. You pay up front for doing something that you don’t want either a business person, an auditor, or worst case, a breach to tell you, you have an issue.
COBIT – A Standard Framework for Establishing and Communicating Your Data Protection and Compliance Controls
Chris Doolittle: So, what are the regulatory controls and challenges for IT to successfully protect the data and comply with this growing list of compliance regulations?
Jeff Devlin: Sure. It’s an alphabet soup of regulations, of standards all under the umbrella of COBIT. COBIT stands for Control Objectives for Information and Related Technology. It’s a standard framework that everyone in your organization can tie into. It helps you interface with auditors, both internal and external, with your business partners, IT, and IT security, to make sure that you are meeting standards.
And those controls need to be examined, tested and refined to meet SOX, GDPR, PII, PCI, HIPAA, and the list goes on. There is so much regulatory pressure, and deservedly so, on companies to protect the consumer, to protect their data under that umbrella of COBIT. That’s what we need to ensure that we’re making progress towards that end.
Chris Doolittle: Interesting. So COBIT is the framework that you use to protect this data, make sure it’s audited, make sure the controls work, regardless of the actual regulatory compliance or privacy compliance requirements, that your particular industry has to deal with. Is that correct?
Jeff Devlin: Sure. COBIT is a framework that allows for communication of controls. You work with your audit department, internal and external auditors, and the business, to make sure that you have defined controls that you audit, that you report on, and that you have analytics on so that there’s no issues for your organization with meeting any regulatory review.
Make Sure Your Data Protection and Compliance Solution Reflects the Business Context
Chris Doolittle: Can you give us some insight, Jeff, into the solutions that you’ve leveraged to address these kinds of challenges around audit, analytics, and controls?
Jeff Devlin: Sure. The most important is to have a very good working relationship and understanding of what your business is. Understanding that, you can move forward to define controls in your application, with the auditors and with the business. You also need to have products, like Teleran’s, that give you the ability to see what’s happening in your data, see who’s accessing it, review those controls, and set up tests for those controls.
You need to create analytics. Analytics are very important. And products, like Teleran’s solution, give you a platform for doing that. Who’s accessing the data? When are they accessing it? Is this fitting within the controls? Do we have unfettered access? What is that about? Is that approved? Did it get sign off to have that type of privilege? And then certainly you want in place protections. Something to guard the “henhouse”. Something that allows you to protect that data.
Chris Doolittle: Terrific. Thanks. Thanks so much for sharing your insights in this complicated, but important arena. From what we’ve learned today, implementing data protection audit and controls, without establishing a strong business relationship and a solid business usage context can leave critical gaps in your protection, and potentially inhibit the business use and benefits of the data.
You described the COBIT framework, which was really interesting, to develop a comprehensive framework to approaching any kind of regulatory compliance and privacy requirement.
You also described how developing that close business relationship with business management and users of the data warehouse, or the application, is critical to enlisting their support.
And finally, you described tools, like Teleran’s, that are designed to foster a comprehensive understanding, the analytics, the controls, the auditing, in the management and use of the sensitive data in these rapidly changing and dynamic data warehouse environments.
Jeff, thanks so much for the discussion. It was really insightful and I appreciate it.
Jeff Devlin: Thank you, Chris. Really appreciate the opportunity. Thanks.
Jeff Devlin can be reached at firstname.lastname@example.org.
Chris Doolittle can be reached at email@example.com.
Chris is VP Marketing and a co-founder of Teleran. He has over 30 years’ experience in helping companies manage, leverage and protect their business-critical information.